Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About vishalduttauk
vishalduttauk
Communicator
Member since:
11-06-2020
09-12-2024
Community Statistics
| Posts | 55 |
| Solutions | 3 |
| Karma Given | 24 |
| Karma Received | 5 |
| Member Since | 11-06-2020 |
Activity Feed
- Posted Lost AWS events after ingestion on Getting Data In. 09-12-2024 01:51 AM
- Posted Tracking application of a Permission set and changes on All Apps and Add-ons. 06-25-2024 08:24 AM
- Tagged Tracking application of a Permission set and changes on All Apps and Add-ons. 06-25-2024 08:24 AM
- Tagged Tracking application of a Permission set and changes on All Apps and Add-ons. 06-25-2024 08:24 AM
- Got Karma for Push notifications stopped working. 05-23-2024 07:52 AM
- Karma Re: Push notifications stopped working for Ahmeed. 05-23-2024 07:49 AM
- Posted Push notifications stopped working on Monitoring Splunk. 05-21-2024 07:16 AM
- Posted Re: Subtract total values of 2 fields on Splunk Search. 09-28-2023 08:06 AM
- Posted Re: Subtract total values of 2 fields on Splunk Search. 09-28-2023 04:53 AM
- Karma Re: Subtract total values of 2 fields for ITWhisperer. 09-28-2023 04:51 AM
- Posted Re: Subtract total values of 2 fields on Splunk Search. 09-27-2023 08:38 AM
- Karma Re: Subtract total values of 2 fields for ITWhisperer. 09-27-2023 03:02 AM
- Posted How to subtract total values of 2 fields in a dashboard? on Splunk Search. 09-27-2023 12:51 AM
- Posted Why does the rising number not match the batch number? on All Apps and Add-ons. 06-06-2023 04:46 AM
- Karma Re: Create a field from values with the source field for vsommer. 03-30-2023 12:34 AM
- Karma Re: Create a field from values with the source field for gcusello. 03-30-2023 12:34 AM
- Posted How to create a field from values with the source field? on Getting Data In. 03-28-2023 08:23 AM
- Posted Re: Linebreak help on Getting Data In. 03-27-2023 06:59 AM
- Karma Re: Linebreak help for gcusello. 03-24-2023 04:14 AM
- Posted Help with creating a regex that splits API data into better format than 1 big event? on Getting Data In. 03-24-2023 02:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-12-2024
01:51 AM
I am in the middle of a Splunk migration. One of the tasks is to moved data from some sourcetypes onto the new servers using the | collect index=aws sourcetype=* command.
The numbers added up after running checks. I run the same checks again a day later and the numbers no longer match up.
Source 1 ->
Old Splunk
New Splunk
Source 2 ->
Old Splunk
New Splunk
August
12,478,853
12,478,853
26,171,911
26,171,911
24 hours later
Source 1 ->
Old Splunk
New Splunk
Source 2 ->
Old Splunk
New Splunk
12,478,853
12,477,696
26,171,911
3,001,183
I've set the following stanza within the indexes.conf file on the deployment server. Also the index only contains 22gb of data. Can you help?
[aws]
coldPath = $SPLUNK_DB\$_index_name\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\$_index_name\db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB\$_index_name\thaweddb
frozenTimePeriodInSecs=94608000
... View more
06-25-2024
08:24 AM
We are already ingesting Salesforce data via the Salesforce for Splunk Add on. I have a requirement to monitor when an admin permission set has been assigned to a user and what changes that user makes. Has anyone fulfilled a similar requirement? So far i have found a list of the following objects that could provide the information i need to see when a permission set is assigned to a user (https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_permissionsetassignment.htm) but not sure how to track what changes that admin user makes. Can you help?
... View more
Labels
- Labels:
-
administration
05-21-2024
07:16 AM
1 Karma
Has anyone noticed the push notifications through the Splunk Mobile app has stopped working recently. We are using Spunk on prem, Splunk Secure Gateway set up with prod.spacebridge.spl.mobi set as the Gateway but I noticed the notifications stopped appearing on my home screen of when my iPhone was locked. Other colleagues using different devices are complaining of the same issue. I can't remember the exact date but it may have been around the 3rd May. No changes to our config have been made but i'd be interested to know if anyone else is having this issue.
... View more
09-28-2023
08:06 AM
Thank you @ITWhisperer !! I've checked and its worked a treat as there are no duplicate propsals
... View more
09-28-2023
04:53 AM
Thank you and that has worked 👍 I've noticed we have got duplicates with our data. How can I dedup on PROPOSALNUMBER and PROPOSAL_NUMBER?
... View more
09-27-2023
08:38 AM
Thanks @ITWhisperer I can see the values in the query1 and query2 but count1 count2 diff are all showing as 0
... View more
09-27-2023
12:51 AM
Hi there,
I have a dashboard and I want to subtract the total number of events of 2 queries but not sure how to do it, can you help?
Query 1:
index=mssql sourcetype=SQL_Query source=Sales_Contracts_Activations* OR source=Sales_Contracts_Activations_BOM
Query 2:
index=mssql sourcetype=SQL_Query source=Esigns CALLBACK_STATUS="SUCCESS" STATUS=Complete
... View more
06-06-2023
04:46 AM
Hi there,
I am trying to get a rolling number whenever proposals get activated. I am able to execute the following SQL script which gets me a figure for proposals activated today using this:
select * from cr_managementinformation where activation_date >= '06-JUNE-23'
order by proposal_status
When I change the input type to Batch then i use this:
SELECT * FROM cr_managementinformation
WHERE PROPOSAL_NUMBER > ?
AND activation_date = TO_DATE(current_date)
ORDER BY PROPOSAL_NUMBER ASC
The rising number does not match the batch number. i.e. the batch number of activations today is 302 but the rising number is only 5.
Can you help?
... View more
Labels
03-28-2023
08:23 AM
I've created fields from regex expressions before but never from the source field.
This is an example of the value within the source field: \\host0000\Test\IT Information\ Data Files\Daily Reporting\Business Unit\
I would like to extract the business unit value and call it Business Unit.
I have access to create a props.conf file.
Can you help?
Kind regards,
Vishal
... View more
Labels
- Labels:
-
props.conf
03-24-2023
02:44 AM
Hi all,
I am getting data in via an API (using the add on builder) but having creating a regex which splits it into a better format rather than 1 big event. Here is an example of the event:
"@odata.context": "https://example-app-env.aa01.aaa.aaaa-ad/odata/$metadata#Jobs",
"@odata.count": 111,
"value": [
{
"Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"StartTime": "2023-01-20T14:08:34.607Z",
"EndTime": "2023-01-20T14:08:49.517Z",
"State": "Successful",
"JobPriority": "Normal",
"Source": "Agent",
"SourceType": "Agent",
"BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"Info": "Job completed",
"CreationTime": "2023-01-20T14:08:34.607Z",
"StartingScheduleId": null,
"ReleaseName": "RobotProdLogin_DEV",
"Type": "Attended",
"InputArguments": "",
"OutputArguments": "{}",
"HostMachineName": "AAAAAAAA11111",
"HasMediaRecorded": false,
"PersistenceId": null,
"ResumeVersion": null,
"StopStrategy": null,
"RuntimeType": "Development",
"RequiresUserInteraction": true,
"ReleaseVersionId": 1111,
"EntryPointPath": null,
"OrganizationUnitId": 1,
"OrganizationUnitFullyQualifiedName": "Default",
"Reference": "",
"ProcessType": "Process",
"ProfilingOptions": null,
"ResumeOnSameContext": false,
"LocalSystemAccount": "AAAAAA01\\AAA11AA",
"OrchestratorUserIdentity": null,
"Id": 00000
},
{
"Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"StartTime": "2023-01-20T14:08:34.607Z",
"EndTime": "2023-01-20T14:08:49.517Z",
"State": "Successful",
"JobPriority": "Normal",
"Source": "Agent",
"SourceType": "Agent",
"BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"Info": "Job completed",
"CreationTime": "2023-01-20T14:08:34.607Z",
"StartingScheduleId": null,
"ReleaseName": "RobotProdLogin_DEV",
"Type": "Attended",
"InputArguments": "",
"OutputArguments": "{}",
"HostMachineName": "AAAAAAAA11111",
"HasMediaRecorded": false,
"PersistenceId": null,
"ResumeVersion": null,
"StopStrategy": null,
"RuntimeType": "Development",
"RequiresUserInteraction": true,
"ReleaseVersionId": 1111,
"EntryPointPath": null,
"OrganizationUnitId": 1,
"OrganizationUnitFullyQualifiedName": "Default",
"Reference": "",
"ProcessType": "Process",
"ProfilingOptions": null,
"ResumeOnSameContext": false,
"LocalSystemAccount": "AAAAAA01\\AAA11AA",
"OrchestratorUserIdentity": null,
"Id": 00000
},
How i want it to look. Event 1
"@odata.context": "https://example-app-env.aa01.aaa.aaaa-ad/odata/$metadata#Jobs",
"@odata.count": 111,
"value": [
{
Event 2
{
"Key": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"StartTime": "2023-01-20T14:08:34.607Z",
"EndTime": "2023-01-20T14:08:49.517Z",
"State": "Successful",
"JobPriority": "Normal",
"Source": "Agent",
"SourceType": "Agent",
"BatchExecutionKey": "aaa1a111-aa11-11aa-a11a-11a1aa11a111",
"Info": "Job completed",
"CreationTime": "2023-01-20T14:08:34.607Z",
"StartingScheduleId": null,
"ReleaseName": "RobotProdLogin_DEV",
"Type": "Attended",
"InputArguments": "",
"OutputArguments": "{}",
"HostMachineName": "AAAAAAAA11111",
"HasMediaRecorded": false,
"PersistenceId": null,
"ResumeVersion": null,
"StopStrategy": null,
"RuntimeType": "Development",
"RequiresUserInteraction": true,
"ReleaseVersionId": 1111,
"EntryPointPath": null,
"OrganizationUnitId": 1,
"OrganizationUnitFullyQualifiedName": "Default",
"Reference": "",
"ProcessType": "Process",
"ProfilingOptions": null,
"ResumeOnSameContext": false,
"LocalSystemAccount": "AAAAAA01\\AAA11AA",
"OrchestratorUserIdentity": null,
"Id": 00000
},
Can you help?
... View more
Labels
- Labels:
-
props.conf
03-03-2023
05:06 AM
HI there,
I've created a multi select input called Source and the Data Configurations is set to a search and Use search results or job status as tokens is ticked (i've tried with this unticked).
The source filter shows the values I expect to see but nothing happens when I tick one or more of the options.
Not sure if the code below is relevant but I am adding it in case it helps
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "@d,now"
},
"title": "Global Time Range"
},
"input_OvTI7NW3": {
"options": {
"items": ">frame(label, value) | prepend(formattedStatics) | objects()",
"token": "ms_monMf0CU",
"defaultValue": ""
},
"title": "Source",
"type": "input.multiselect",
"dataSources": {
"primary": "ds_ESObVruQ"
},
"context": {
"formattedConfig": {
"number": {
"prefix": ""
}
},
... View more
Labels
- Labels:
-
chart
-
Dashboard Studio
02-03-2023
04:21 AM
Hi there, I am trying to ingest data which is stored within the profile of a user's AddData location: C:\Users\(User ID)\AppData\Local\UiPath\Logs but can't pull in any events. I've tried lots of different stanzas like [monitor://C:\Users\DKX*\AppData\ [monitor://C:\Users\DKX$\AppData\ [monitor://C:\Users\...\AppData\ [monitor://C:\Users\%userprofile%\AppData\ Any idea why it isn't working? I know i've not added in all my stanza attempts but could it be due to the Splunk service account not having access to that location?
... View more
Labels
- Labels:
-
inputs.conf
-
universal forwarder
12-29-2022
05:12 AM
Thanks @rrovers that has worked a treat 🙂
... View more
- Tags:
- thanks
12-29-2022
01:32 AM
Hi there, I have a search where I want to see where one date field is the same or starts before another but my search results only shows me events where both dates are the same, can you help? I am trying to find events which contains an end date that is before the created date. The data isn't create so a typical date entry would be 12112022 index=UAT sourcetype="Test_Txt_data" | eval end_date_epoch = strptime(end_date,"%d%m%Y") | eval created_date_epoch = strptime(created_date,"%d%m%Y") | where end_date_epoch <= created_date_epoch | eval end_date = strftime(end_date_epoch, "%d/%m/%Y"), created_date = strftime(created_date_epoch, "%d/%m/%Y") | table proposal, created_date, end_date
... View more
11-21-2022
07:00 AM
Thanks @yuanliu this has worked a treat! 😀
... View more
11-17-2022
06:23 AM
I have a simple search which is satisfaction_date=0 OR close_date=0 AND status=8 in the previous month. I now have a requirement where users want to see (last 30 days) where those records are now tagged with a different status. The unique identifier with each record is a proposal_id.
i.e in October proposal vdutta1 had a satisfaction date as 0 and status as 8. Proposal vdutta1 now has a satisfaction date as 0 and status as 6 so this record should be shown.
Can you help?
... View more
11-14-2022
03:11 AM
Hi @gcusello The week day alerts were working fine but I've applied 0, 6 to the weekend alerts so that should work now.
... View more
11-14-2022
12:50 AM
Hi there, I used to have a couple of alerts which worked using a crons expression from Monday to Saturday (*/15 7-19 * * 1-) and another for Sunday (*/15 10-15 * * 0). The requirements changed so I needed the Saturday and Sunday alert timings to be the same. I used (*/15 10-15 * * 6-7) but that didn't that didn't trigger an alert. I tried */15 10-15 * * SAT-SUN but it doesn't accept that format. Can you help me with a crons expression for Saturday and Sunday?
... View more
Labels
- Labels:
-
alert condition
-
cron
11-14-2022
12:44 AM
Hi @majilan1, I have a number of alerts based on something similar and this is the search I use. The search doesn't look at the D drive but you can always add in mount="D:". source="PerfmonMK:LogicalDisk" instance!= C: instance!=_Total %_Free_Space<10
... View more
11-09-2022
02:54 AM
Hi @gcusello I am implementing that to the existing datetime.xml file. Is this what i should add? </define> <define name="_masheddate2" extract="month, day, year"> <text><![CDATA[(?:^|mylogs_01-10-2022.log::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]></text> </define>
... View more
11-07-2022
05:12 AM
Hi @gcusello I would like to add the same fixed one for every event within the file which will be uploaded.
... View more
11-07-2022
03:54 AM
Thanks @gcusello I will do that. I can't rely on the created date of the file which i will re-upload? How can i specify the the timestamp as I have older data which needs to be uploaded. The method is to use the add data functionality and to upload the txt file to the specified index.
... View more
11-07-2022
01:08 AM
Hi there,
I have a requirement where I have a large number of events which was uploaded on the 4th November but that needs to be changed to 1st November after it has been indexed. Is that possible?
... View more
10-18-2022
01:09 AM
1 Karma
I managed to find a solution which is to use $job.latestTime$ instead. I have applied this to all our alerts now. This is where I got the idea from: https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTime-tokens-for-the-date/m-p/345199
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-12-2024
01:37 AM
|
